Hello, I'm troubleshooting an issue where I need to figure out if the some SYN/ACK that I'm seeing are in response to an specific SYN.

I took to independent captures, in two different locations and simultaneously, I can see the SYN from my laptop, but I don't see any SYN/ACK anywhere in the same capture, when I check the other capture I notice that there are many SYN/ACK but I don't know how to match one of those SYN/ACK to the SYN that the computer sent.

Can you please help me?

asked 06 Mar '13, 09:52

wil1323's gravatar image

wil1323
6225
accept rate: 0%


You need to disable the relative Sequence numbers for the TCP protocol first. You can do that in the preferences -> Protocols sections, or by right clicking the TCP layer in any packet that has TCP inside. Matching packets on multiple locations usually works by finding the same two IPs talking on the same two ports with each other (a "Socket Pair"). Then, try to find the same TCP Sequence numbers of a packet in one trace in the other trace. Sequence numbers are usually unique inside one TCP conversation unless there is so much data transfered that it forces the sequence number to wrap around.

If you can find the same packet containing the same socket pair and the same TCP sequence number, you've got it. If you can't find it anywhere, it's probaby not in the trace file. It might still have been on "the wire" but wasn't captured for performance or other reasons. You can usually tell if that is the case if you see the two nodes talking happily (meaning: without retransmissions and duplicate acks) with each other even though there seem to be missing packets.

link

answered 06 Mar '13, 10:19

Jasper's gravatar image

Jasper ♦
16.1k338212
accept rate: 17%

edited 06 Mar '13, 15:15

Hi Jasper, Can we decode it with stream index?

Let us say the syn is having stream index "n" and obviously the related syn-ack will have index "n" Correct me if i am wrong

Thanks

(06 Mar '13, 10:37) krishnayeddula

Going by stream index only works if you only have one trace file. In that case you'll find all packets belonging to one conversation by filtering on its stream index.

Stream index will not work if you compare traces, because the index always starts fresh for each trace, and you can't tell if the same conversation will have the same stream index. If it is, its a pretty rare coincidence, and I wouldn't rely on being that lucky. Better use a conversation filter that contains both IPs and both ports.

(06 Mar '13, 10:40) Jasper ♦

Got it thanks

(06 Mar '13, 10:42) krishnayeddula

Hello.

One more question, by using the filter tcp.flags == 0x0012, I'm able to find all [ SYN,ACK ] packets in one capture, so now wireshark lists all SYN,ACK, but how can I do a look up in the other sniffer capture that I took, to find out what syn,ack corresponds to what syn.

Thank you again.

(06 Mar '13, 13:06) wil1323

You'll have to compare absolute TCP sequence numbers. You could add a custom column for the sequence number to have the numbers listed for each SYN/ACK. Easiest way to do is to select the sequence number in the decode pane of any TCP packet and then use the popup menu to "apply as column".

If you have one SYN/ACK you want to track in the other file you could just filter or search for it, by using "tcp.seq==NUMBER", where "NUMBER" is the number you look for.

(06 Mar '13, 13:34) Jasper ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×75
×29
×23
×1

Asked: 06 Mar '13, 09:52

Seen: 5,715 times

Last updated: 06 Mar '13, 15:15

powered by OSQA